Security
I cover crime, privacy and security in digital and physical forms.

Going by hacker stereotypes, it’d be pretty easy to physically identify anyone committing an act of digital crime. A combination of pallid skin, hoody and laptop is the biggest giveaway. Such hackneyed images of hackers are, of course, evidently wrong, bordering on offensive. Real hackers penetrating business networks have the common sense to avoid cliched clothing and try to conceal their tools.

For those who can bear the pain, biohacking, where computing devices are injected under the skin, provides a novel way to acquire real stealth to sneak through both physical and digital scans. That’s why US navy petty officer Seth Wahle, now an engineer at APA Wireless, implanted a chip in his hand, in between the thumb and the finger - the purlicue apparently - of his left hand. It has an NFC (Near Field Communications) antenna that pings Android phones, asking them to open a link. Once the user agrees to open that link and install a malicious file, their phone connects to a remote computer, the owner of which can carry out further exploits on that mobile device. Put simply, that Android device is compromised. In a demo for FORBES, Wahle used the Metasploit penetration testing software on his laptop to force an Android device to take a picture of his cheery visage.

The image security expert Seth Wahle took of himself from a hacked Android device, after sending it a malicious link from an NFC chip in his hand.

He’ll be showing off the surreptitious attack at the Hack Miami conference taking place this May, alongside the event’s secretary of the board and security consultant Rod Soto. They admit it’s a rather crude piece of research, given it's using off-the-shelf tools and a known attack technique over NFC, but claim this implant-based attack could provide criminals with a particularly useful “tool in their social engineering toolset”.

“This implanted chip can bypass pretty much any security measures that are in place at this point and we will show proof of that,” says Soto.

Looking at the widespread adoption of NFC in business, implants could provide a route into various networks. More sophisticated code on the chip would increase the potential for more serious damage, especially if a zero-day (an unpatched,previously-unknown vulnerability) was put into action via a chip, warns Soto.

Seth Wahle's hand, before and after he injected an NFC chip into it.

But implants aren’t for the squeamish. Wahle says the needle was bigger than he’d expected when he had the chip implanted by an “unlicensed amateur” for $40, enough to make him want to vomit. He says he had to go through a backstreet operation due to Florida’s restrictive body modification laws. He first had to acquire the chip, designed to be injected into cattle for agricultural uses, from Chinese company Freevision (see images below for their animal products and the sizeable syringe used by Wahle). But the chip, which has just 888 bytes of memory and is encapsulated in a Schott 8625 Bio-glass capsule, is now barely noticeable, Wahle says, poking at the cylindrical object over his webcam during a Skype call with FORBES.

Implants for cattle, used by hacker Seth Wahle to launch Android attacks.

The model of syringe used by Wahle in his $40 backstreet chip injection.

There are some clear limitations to an implant-based attack, but they can be overcome through various means. The malicious Android file created by Wahle and Soto, for instance, loses connection to the attacker’s server when the phone is locked or if the device is rebooted, but having the software run as a background service that starts on boot would fix that, according to Wahle's whitepaper on the attacks. As the rogue code has to be manually installed, some decent social engineering will also be required, though making the malicious file appear legitimate, using
Google Play signatures and initiating an additional exploit to cause a forced installation, would minimise the amount of charm and cunning needed.

Kevin Warwick, who claims to be the first human to have implanted an NFC chip inside his body, told FORBES it was "good that this particular application is being tested as it gives some idea of what might be possible and some of the dangers apparent". Warwick, now professor of cybernetics at the University of Reading in the UK, also noted the inability of security systems to pick up on the technology. "Such an implant doesn't get picked up at airports and so on, the amount of metal in it is far far less than wearing a watch or wedding ring. Even my neural implant of 2002, with a length of platinum wire implanted was not picked up. In fact I still have some of the wires in my arm and fly regularly."

In Miami, Wahle and Soto are planning to detail the steps hackers will need to go through to add implants to their arsenal, including how to acquire the hardware and program the chip. Could this be the beginnings of the democratisation of malevolent biohacking? “This is just the tip of the iceberg… anyone can do this,” adds Soto.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist o...